Rule #2 of Zombie Protocol Land: The Double Tap

As a young security professional I’ve always been aware of SSL’s status as a legacy protocol. TLS was proposed as a replacement before I entered High School. For me it was little surprise that in mid 2014 a Padding Oracle On Downgraded Legacy Encryption vulnerability surfaced. Better known as POODLE, this vulnerability dealt a death blow to SSL, and it wasn’t long before TLS felt its sting. The removal of SSL from environments has been reluctantly accepted by most systems administrators. TLS on the other hand survived, now in the light and scrutiny of nervous security professionals. Businesses needed to know, if TLS was strong enough to meet compliance needs and lower risk. Systems administrators wanted to know, how hard a replacement is to implement.

Risk

Industry standard security models used in enterprise environments are often modeled after an onion. This onion is comprised of layers of security technologies working together to protect the whole. TLS provides identity validation and transport protection for data as it moves through the internet. This limits the risk created by POODLE to man in the middle attacks or eavesdropping.

A successful attack using the POODLE vulnerability allows an attacker to bypass encryption provided by TLS. Sensitive data captured by an attacker can be read in plain text and even altered without alerting the victims. This attack can be preformed on any captured or replayed data collected by an attacker. Local network attacks are a more common environment for this vulnerability.

You can’t patch a protocol, but you can update it

SSL and TLS are IETF protocols which provide a framework for developing compatible applications to provide transport layer security. When developers write software these protocols dictate input and output a different platform will provide or require.

In their RFCs, definition documentation, SSL and TLS cipher suites are defined. A cipher suite is the mathematical model used by the protocol to convert data between encrypted and plain text. The major component for defining encryption in a cipher suite is the encryption mode. SSL and TLS each provide similar definitions for Cipher Block Chaining encryption modes. POODLE specifically exploits functionality implemented improperly in the SSL definition of this encryption mode. In TLS CBC is expanded with controls to prevent exploitation of this functionality.

So what is a padding oracle attack anyway

CBC encryption as defined by SSL (RFC 6101) encrypts data by separating a message into blocks of equal size and preforming a chained encryption not covered by the MAC. The length value of the padding is added to the end of the plain text as padding. To encrypt a plain text message CBC uses the plain text value from the end of the previous block to encrypt the block with a xor operation.

SSL CBC Padding

The initialization vector is the backbone of the cipher an attacker only requires finding it remove encryption from a whole message is guess the xor result from the block before. This can then be used to create a padding oracle that can then remove encryption from all following blocks.

CBC encryption used in SSL/TLS

TLS makes this a little harder by separating the padding at the end of the message and places it at the end of each block. Defined in RFC 5246 the amount of padding added to the block is a multiple of the plain text message’s length. This makes it harder to know which piece of the block is used as the initialization vector for the next block.

TLS CBC Padding

If TLS is not vulnerable than why was it effected

Aside from expanded CBC protections TLS also has added functionality to allow it to function along side older SSL protocols. When TLS was released older browsers didn’t have support for it. This required TLS software to preform SSL functionality as needed for backwards comparability. In fact only very recently have browsers had support enabled by default.

To aid in the migration to the TLS protocol the majority of TLS definitions were copied from SSL and expanded on. However, some changes made were enough that the protocol was no longer compatible with SSL. The attack On Downgraded Legacy Encryption comes from this final addition to the first version of TLS for compatibility. TLS version one states that if the browser doesn’t specify use of TLS SSL is used. This allows servers to run both TLS and SSL services on the same port without conflicts or stability issues.

POODLE is an attack on outdated SSL ciphers leveraging functionality in TLS designed to ease transition to the new protocol. When SSL is removed from an environment TLS is now forced to use the TLS defined cipher suites.

While SSL has other issues in it the CBC issues could be remediated with removal of CBC ciphers. This would force SSL to use RC4 stream cipher suites. Unfortunately TLS doesn’t handle RC4 stream ciphers properly leaving any server disabling the CBC ciphers, in SSL, vulnerable to a similar attack on TLS.

The double tap

In October of 2014, SSL lying dead, most businesses finished removing SSL from vulnerable web servers. Brian Smith stumbled upon the corpse of SSL hiding in TLS. It is said the first rule of cryptography is don’t write your own, and the second rule of course is don’t write your own. However, this does not apply to the authors of cryptography software as they have to write the functionality. Unfortunately TLS was ported from SSL and some of the functionality that was found to be weak was not properly expanded on when ported.

Many manufactures of TLS software were quick to add in missing functionality. Windows libraries were found to be not vulnerable as binaries were either outdated or built correctly by Microsoft. This finding mainly effected linux servers and many security vendors released custom patches while waiting on the distribution updates.

How to avoid this in the future

POODLE provided an example of the danger outdated protocols and legacy software poses to an environment. TLS had been available to use for 15 years before it finally replaced SSL. Reluctance to remove support for outdated software was a major factor in its length of service. The lesson that should be learned is the importance of staying updated and current with software and protocols. It should also be pointed out that SSL should have been depreciated much earlier.

Poor porting of TLS from SSL exposed problems with porting and preforming all the changes requested by the new spec. If it fits it ships is a common phrase in development, however, in this case the product fit the mold it was just not the right size.